Re: package.el + DVCS for security and convenience

[Ted Zlatanov]

On Fri, 04 Jan 2013 13:11:09 -0500 Stefan Monnier <address@hidden> wrote: 

>> Now, since everyone but Xue Fuqiao has told me that tying package.el to
>> the DVCS is a bad idea, we need to decide how these signatures will be
>> stored in the ELPA, and how they can fit into the existing ELPA
>> structure.  Nic Ferrier's proposal of a "key package" seems workable;
>> that package can be signed with the GNU ELPA maintainer's public key to
>> bootstrap the rest of the process.

SM> The signatures should be added to the `archive-contents' file.

I think `archive-contents' should contain just the keys allowed to sign
the package, not the signatures whole.  Otherwise, for multi-file
packages, the file could get large and the format could be awkward.  To
support both single-file and multi-file packages, I propose a X.sig
signature file for each file X in the package directory hierarchy.

I think it's better to have the GNU ELPA maintainers sign package
releases, not to delegate that to the authors.  That would make it
unnecessary to modify the `archive-contents' format at all to store the
author keys.  It's more work for the GNU ELPA maintainers, but much less
work for the authors.  I imagine it would work, on the maintainer side,
by modifying `archive-contents' with the new version, and then the
deployment script would sign each file as it deploys it in place.

Either way, the entire `archive-contents' file will be signed by one of
the GNU ELPA maintainer keys in `archive-contents.sig', right?  How do
we distribute the GNU ELPA maintainer keys?  With Emacs itself?

Ted